Avatar of PhotronicsBridgend
 asked on

multiple 2003 active directory domains into tree

Hello all,
            The company I work for has multiple physical sites around the world, each site has thier own independant 2003 server active directory domain setup. All running off seperate DNS (some UNIX bind, some microsoft dns). We also have a top level AD domain that is utilised for exchange mail. We were looking @ replacing all these seperate domains with a single domain running off MS dns, but this has been deemed unworkable due to the need to have a PDC emulator @ each site to allow for older MS systems & unix to authenticate to regardless of the status of the wan link. Therefor the plan is to create a tree structure joining all the different domains together allowing for us to share resources & have a single sign on (we currently have multiple password for different services) etc etc.

company.com  (top level AD only utilised for exchange mail)
eu.compnay.com  (another site AD used for full services)
ad.company.com  (another site AD used for full services)
xm.company.com  (another site AD used for full services)
etc etc

I wanted to check to ensure
A) this is possible
B) whether this arcitecture will allow single sign on
C) possible methods of deployment considering these domains are already present
D) if there are any major issues with this apporach

Many thanks....
Windows Server 2003

Avatar of undefined
Last Comment

8/22/2022 - Mon

A: Yes this is possible.  You are right though a PDC Emulator needs to be placed in each child domain.  A PDC Emulator is just the first W2K3 DC you install in a domain.

B: Yes it will allow single sign on.

C: You will want to look into migration tools.  Microsoft has a free one called ADMT that you could look at to do this with.  It works great for small to medium size migrations.   There are 3rd party tools that cost money that also do migrations really well.

D: Not really any issues. This is really a good layout.  By have the domains broken out into geographic locations is good because you can have different security policies for different areas.


Hay Brian, thanks for that. A few further questions spring to mind then:-

So how would user authentication work then. Would you just have all the user accounts in the root domain & the child domains would look to it to authenticate the user when they logged on? How is it configured?

company.com     top level AD only utilised for exchange mail containing all the user accounts
eu.compnay.com     this child domain would look to company.com to authenticate its users


The accounts don't need to reside in your forest root domain.  

Your clients should reside and authenticate into the child domain.  Exchange however will be in the Forest root domain.  The clients will still be able to access their email by using name resolution.

All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck

Is there any way of utilising our current domains & connecting them up to our parent domain removing the need for us to build & distribute new child domains?

The main objective is a single point of authentication for users logon & exchange mail that reside in different domains:-

company.com  (top level AD only utilised for exchange mail)
eu.compnay.com  (another site AD used for full services)

Most companies use multiple domains when they want to have different password policies.  If that isn't need then yes a single domain can work.  You will want to must make sure that you use AD Sites well.  


& thats the problem! The initial thought was to build a singel domain replacing the multiple domains we have. BUT due to the fact that the unix systems @ each site (we are a manufacturer) authenticate against the PDC emulators on the site domain a single domain model doesnt allow enough redundancy. With a single domain structure, if the WAN goes down, then that site has no access to a PDC emulator & the unix systems go down (& so then does production).

This is why we require a strucure allowing independant PDC emulators per site but with world wide single signon including the exchange domain.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Thanks mkbean youve been very helpfully. I am busy testing hence the lack of responce on my part